How to survive the ransomware apocalypse

Oct. 26, 2020
Preventing ransomware attacks is now more important for businesses than ever before

From primitive screen lockers to sophisticated enterprise-targeting nasties, ransomware is a dynamically evolving strain of malicious code that has instilled fear in individuals and businesses for years. Nowadays, no operating system is immune to this impact: Windows, Linux, and macOS are all susceptible to extortion attacks to a different extent. Taking website databases hostage is an increasingly common tactic of malicious actors, too.

Ransomware is also a cybercrime heavyweight in terms of the profit generated by the perpetrators in charge of these campaigns. The average size of the ransom has gone from several hundred dollars at the dawn of the plague – up to hundreds of thousands or even millions of dollars per victimized organization now in 2020.

This article will give you insights into this monstrous phenomenon from different angles. You will learn, among other things, when ransomware went pro, what roadblocks it has hit over the years, and what kind of a threat it is today.

CryptoLocker, a threat that broke new ground

Early ransom Trojans were crude infections whose adverse effect was restricted to locking a victim’s screen or web browser’s homepage. They were mostly manifested as “police” lockers impersonating local law enforcement agencies. These culprits had dominated the digital extortion niche until 2013 when a truly revolutionary pest called CryptoLocker splashed onto the scene. Its emergence changed everything and became a milestone in ransomware development.

CryptoLocker made a difference in several ways. First off, it was the first to use 2048-bit RSA encryption to make one’s files inaccessible. The public-private key pair was kept on the criminals’ Command and Control (C2) server, and the victims could only obtain it by paying the ransom. This threat also pioneered in accepting Bitcoin for payments, although it allowed for alternative channels such as prepaid Ukash, MoneyPak, Paysafecard, or CashU cards.

CryptoLocker vanished from the threat landscape in June 2014 courtesy of the well-coordinated Operation Tovar undertaken by police forces of different countries. This initiative ceased the activity of the Gameover ZeuS botnet, which was the backbone of the ransomware distribution campaign.

The big ransomware boom

The success of white hats didn’t mean the end of the epidemic. On the contrary, new high-profile strains started surfacing one after another. To top it off, their developers kept refining the offensive code and the underlying digital infrastructure to hamper attack attribution. They tried their hand at hosting C2 servers and payment sites on the Tor anonymity network. Additionally, they narrowed down the ransom options to Bitcoin to obfuscate the money trail.

In 2015, some cybercriminal groups adopted the so-called Ransomware-as-a-Service (RaaS) model, where developers get their cut from accomplices who distribute the infections. From then on, the extortion activity became a lot like a commonplace web-based business, with intuitive “affiliate” dashboards and turnkey contamination tools such as exploit kits being at felons’ fingertips.

This mix of dodgy efforts gave rise to complex ransomware samples such as CTB-Locker (2014) and CryptoWall (2015). In 2016, Locky, Cerber, CryptXXX, and CrySiS (aka Dharma) families debuted. The notorious WannaCry and NotPetya strains took the world by storm in 2017. Although CryptoLocker was already history at that point, it played its role by paving the way for the further evolution of the menace.

Ransoms reach mind-boggling heights

Back in the day, when the above-mentioned police lockers were in full swing, the size of the ransom didn’t exceed $100. CryptoLocker took it up a notch and demanded $600. When malefactors switched to cryptocurrency as the only payment method, the average ransom more than doubled. In some cases, it could reach $2,000 worth of Bitcoin or Monero (XMR).

As the complexity of ransomware grew and the criminals started focusing on organizations as juicier targets than regular users, the amounts started skyrocketing. This trend took root in 2016 and is currently making itself felt the most.

In June 2016, the University of Calgary based in Alberta, Canada, paid $20,000 to attackers to restore its systems locked down in a ransomware incident. The Los Angeles Valley College coughed up $28,000 in Bitcoin to decrypt its data in January 2017. In June of the same year, a South Korean technology company Nayana submitted $1 million in cryptocurrency to get back to its normal operation. For the record, this is the biggest payout reported to date.

Two years later, Riviera Beach City, Florida, sent $600,000 to crooks to get its computer network back on track. According to analysts, the ransoms demanded by the operators of the infamous Sodinokibi and Ryuk ransomware lineages saw a 33% increase in Q1 2020, with the average amount being $111,605.

A rising trend: encryption plus data breaches

As if the damage from sketchy encryption weren’t enough, ransomware groups have been additionally stealing victims’ data since November 2019. A strain called Maze was the first one to adopt this tactic.

By harvesting organizations’ files as part of the attack, criminals can pressure their targets into paying the ransom. If the negotiations don’t pan out, they dump the data on dedicated websites. Because this leak can ruin the reputation of a business, the victims are more likely to succumb to attackers’ terms.

This blackmail mechanism turned out to be so effective that other crews of extortionists have since followed suit. At the time of this publication, well over a dozen ransomware families are publishing their targets’ files in the event of non-payment.

In addition to the above-mentioned Maze ransomware, the following strains are now using data leak threats as extra leverage: AKO, CL0P, CryLock, DoppelPaymer, Nemty, Nephilim, Netwalker, ProLock, Pysa, Ragnar Locker, Sodinokibi, Sekhmet, Snake, and Snatch.

Ransomware operators team up

In early June 2020, several ransomware campaigns merged to create a cartel. As a result, the gangs behind Maze, LockBit, and Ragnar Locker are currently using a single data leak platform called “Maze News” to upload files previously stolen from companies that reject ransom demands.

This collaboration goes beyond sharing the same “public shaming” site originally set up by Maze ransomware operators. It also allows the crooks to exchange experience they have gained over time. The less competent “partners” can benefit from the advice provided by their more successful accomplices and thereby give their campaigns a boost.

No mercy from the crooks

Ransomware groups don’t care about their victims’ personal circumstances. Individuals, businesses, and nonprofits are all in the same boat in terms of the perpetrators’ ruthless treatment. A particularly revolting fact is that criminals continue to infect healthcare facilities during the COVID-19 crisis. Moreover, Interpol says the number of attacks against hospitals has increased amid the global coronavirus emergency. The felons in charge of the Ryuk ransomware have reportedly tried to plague at least 10 healthcare organizations since February 2020. The CrySiS ransomware has been doing the same.

The architects of several ransomware operations, including Maze, CL0P, DoppelPaymer, Nefilim, and Netwalker, assured security researchers that they wouldn’t be targeting medical institutions till the end of the pandemic. However, not all of them carry through with this promise. In late March 2020, Maze spilled sensitive data stolen from a UK medical research company. A code of ethics isn’t these crooks’ top priority, to put it mildly.

Fake ransomware attacks

Sometimes ransomware is used as a scare to hoodwink users into paying up. In mid-April 2020, scammers portraying themselves as ransomware operators started sending blackmail messages to numerous website owners. The impostors claim to have hacked the sites and copied the underlying databases to their servers.

The webmasters are instructed to pay $2,000 within five days to prevent this data from being released to the public. The scammers also threaten to de-index the sites and send the allegedly stolen databases to partners and customers, which can entail reputational losses.

The good news is these claims are all bark and no bite. The compromise is a fake, and most site owners are vigilant enough to ignore these messages. The wallets listed in the ransom notes have only received two payments in three months.

Such extortion attempts aren’t always a bluff, though. Cybercriminals have targeted numerous MongoDB databases and MySQL servers in real attacks since 2017. In late May 2020, hackers stole SQL databases of more than 20 online shops and contacted their proprietors to demand 0.06 BTC ($545) per site.

Ransomware today: far beyond malicious encryption

As previously mentioned, a handful of ransomware families pilfer companies’ data in addition to making it inaccessible. This unorthodox tactic is quickly gaining traction among extortionists. Essentially, it means the attack is two-pronged: it’s a cryptographic disaster and a data breach at the same time.

One more unsettling trend is gearing up for a rise in this ecosystem. Cybercrooks can maintain access to a breached network after the original infiltration. This way, a post-exploitation scenario kicks in, allowing the black hats to keep stealing files and to eavesdrop on their victims’ incidents response efforts. They can read the correspondence exchanged between an organization’s teams and counter these recovery measures.

Under the circumstances, preventing ransomware attacks is now more important for businesses than ever before. A combo of network segmentation, the principle of least privilege, timely security patches, penetration testing, data backups, and security awareness of the personnel can make the defenses proactive and help companies avoid the harsh impact.

About the author: David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs and projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.